Who may be affected
- Cloud One - Endpoint & Workload Security or Trend Vision One Endpoint Security - Server & Workload Protection users
- Trend Vision One - Server and Workload Protection agent version is between 20.0.0.6658 and 20.0.1.7380, or DSA version is above 20.0.0.6658.
- Service Gateway is the ONLY way as a forward proxy for DSA to connect to Cloud One - Endpoint & Workload Security server or Trend Vision One Endpoint Security - Server & Workload Protection server.
Impact time period
- 2024-08-27 8:48:40 UTC (Full Sync SG data) ~ 2024-8-28 12:53 UTC (rollback feature)
This issue should have only impacted August 27 (8:48 UTC) - 28 (12:53 UTC) when the new feature was released. It was then disabled within a few hours after some customers escalated the issue. Therefore, this issue would only have affected customers during that period.
Recovery plan
The following are pre-check steps from endpoint side.
- Use the commands below to check the contents of the agent policy.
On Linux and Unix hosts, run the following command on shell:/opt/ds_agent/sendCommand --get GetConfiguration | grep ServiceGatewayModule
On Windows hosts, run on Command prompt:"C:\Program Files\Trend Micro\Deep Security Agent\sendCommand" --get GetConfiguration | find "ServiceGatewayModule"
- If the name attribute contains
;
(for example "fps;sps"), it means that the offline error is caused by this issue. Below is an example:<ServiceGatewayModules> <ServiceGatewayModule port='80' name='fps;sg-gcs;lau'/> </ServiceGatewayModules> <ServiceGatewayModules> <ServiceGatewayModule port='80' name='fpsdisabled;sg-gcsdisabled'/> </ServiceGatewayModules>
Allow agents directly connect to Cloud One - Endpoint & Workload Security server or Trend Vision One Endpoint Security - Server & Workload Protection server to perform heartbeat and policy sync successfully at 1-2 heartbeat times (less 30 mins). Check the agents if they are online and sync Service Gateway - Forward Proxy Service correctly. As an option, disable the Server & Workload Protection direct Internet connection.
For more information refer to the Help Center article, Trend Micro Cloud One: Port numbers, URLs, and IP addresses.
Once the agent is back online, check the Send Policy Successful column if it has been updated recently.
You may also force send policy from the Computers page. Right-click the virtual machine, click Action > Send Policy.
The following applies to both Linux and Windows DSA.
- Log on to the Cloud One - Endpoint & Workload Security console.
- Navigate to Administration > Updates > Software > Local > Generate Deployment Scripts. On "Proxy to contact Workload Security Manager", select a Service Gateway where agents can reach to, then copy the value of
PROXY_ADDR_PORT
andPROXY_CREDENTIAL
. - Go to the agent localhost, type the following command.
On Linux and Unix hosts, run on shell:$ /opt/ds_agent/dsa_control -x "dsm_proxy://<value-of-PROXY_ADDR_PORT>/" -u "<value-of-PROXY_CREDENTIAL>" $ sleep 10 $ /opt/ds_agent/dsa_control -m
On Windows hosts, run on Command prompt:> "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -x "dsm_proxy://<value-of-PROXY_ADDR_PORT>/" -u "<value-of-PROXY_CREDENTIAL>" > timeout 10 > "C:\Program Files\Trend Micro\Deep Security Agent\dsa_control.cmd" -m
For more information visit the Help center article, Trend Micro Cloud One: Command-line basics. - Go back to Cloud One - Endpoint & Workload Security, then check the status of the impacted agents.